Computer Network Security -- Information

Computer Network Security -- Information Assurance Issues

Discussion Question 1 - Information Assurance and IA-CMM.

In general, information assurance relates to the three "CIA" elements of information confidentiality, integrity, and availability (Boyce, 2008; Kizza, 2009). The confidentiality component refers mainly to the limitation of access to system information to authorized individuals; the integrity component refers mainly to the limitation of changes to data and other elements of the system to authorized individuals and processes; and the availability component refers mainly to the maintenance of the system's ability to function and provide access to information at all times (Boyce, 2008; Kizza, 2009).

Because our organization relates to healthcare, we must, by federal law, observe very strict protocols under the Health Insurance Portability and Accountability Act (HIPAA) that are designed to protect confidential healthcare information, called "protected health information" (PHI) (Personick & Patterson, 2007). One of the fundamental HIPAA requirements is that every organization that uses or accesses PHI maintain an Information Security Officer (ISO) within the organization. The ISO is responsible for making sure that all employees and other personnel (including unpaid interns) receive the training necessary to ensure that they understand the importance of maintaining the absolute confidentiality of PHI (Personick & Patterson, 2007). She also coordinates information technology (IT) training throughout the organization and she works closely with the IT department to make sure that all employees understand and adhere to the organization's rules, policies, and procedures in connection with IT system security. Some of the typical challenges faced by the ISO is that she must allow the IT administrators to monitor, maintain, and periodically upgrade all of the our IT and other communications systems while simultaneously minimizing any disruption of their availability to employees who rely heavily on those systems to perform their duties.

Discussion Question 2 - Security Awareness Training and IA Training

In general, security awareness training consists of periodic classes and online tutorials and related quizzes that promote understanding of the nature of different types of threats to information security (Boyce, 2008; Kizza, 2009). That training addresses threats in the nature of malicious intrusion from external entities, malicious intrusion and misuse of information access or system credentials from the inside; and malicious intrusion attempts to gain access to systems and information through social engineering methods (Boyce, 2008; Kizza, 2009). In our organization, the ISO schedules IT security training sessions for the entire staff and also establishes security certification schedules that require all employees to complete and pass online tutorials by specific dates.

Discussion Question 3 -- Appropriate INFOSEC Trainings in Organizations